Suspicious Chinese Threat Actor IOCs
Jun 21, 2023
Exploitation
Overview
A campaign was detected with tools created between 2020 and 2023 which included multiple payloads and delivery mechanisms, reverse shell through powershell and a list of potential zombie/bot hosts.
IOCs
IPv4
- 61.233.14.20
- 61.233.14.22
- 61.233.14.28
- 61.233.3.239
- 61.234.152.130
- 61.234.152.140
- 61.234.36.228
- 61.235.77.55
- 61.235.77.56
- 61.235.77.58
- 61.235.77.62
- 61.235.77.77
- 61.235.77.78
- 61.235.77.79
- 61.235.77.81
- 61.235.77.82
- 61.235.77.87
- 61.235.77.88
- 61.235.77.89
- 61.235.77.90
- 61.235.77.93
- 61.235.77.94
- 61.236.123.41
- 61.236.123.44
- 61.236.123.46
- 61.236.123.53
- 61.236.89.212
- 61.237.227.131
- 61.237.227.142
- 61.237.227.143
- 61.237.227.150
- 61.237.227.152
- 61.237.227.155
- 61.237.228.1
- 61.237.239.126
- 61.237.239.129
- 61.237.239.139
- 61.237.239.181
- 61.237.239.207
- 61.237.239.248
- 7.13.20.137
- 7.13.20.138
- 8.210.155.105
Files
The majority of these archives are password protected and have not been analysed.
- 目标靶机.txt - [target drone.txt]
- Warcraft3FrozenThrone1.26.zip - f6db649947113d322afa9be433c682d1
- a.7z - 9c5ab4aefdb6a7c87ec4e8b5909f5624
- cmdasp.asp - [Generic WebShell] - 57b51418a799d2d016be546f399c2e9b
- code_2.7z - 08568ec35e8052ed2be00d5215ceadeb
- databasecheck.7z - bf5379479d856b79d375b57620492b4f
- hw报告.7z - [hwreport.7z] - 9c5ab4aefdb6a7c87ec4e8b5909f5624
- jew - d3cfe06c91b29bde3b1f65f23c898bf9
- jew64 - 0e18cab98b9aa693f8517243d168b486
- nohup.out - ab143e3dd81d2e9c15ad238b8ec73a13
- pm.zip - 41add444b37945e9f5442459b1a40079
- proxydroid.apk - 71c2ba59217505decd019d4ca918a26b
- rs.ps1 - Nishang reverse TCP connection to 8.210.155.105 on port 443 - f1b44b698512045886fdd655eca23828
- vpn.apk - 950c4b7bbd35036e372bffab51caa163
- vpn.msi - 942463e22d4e409c726d03f4f7aebb50
- yaml-payload.jar - 163504a109e19ade9e6551fc3480d247